Wickr - Top secret messenger

Cant believe I haven’t heard of Wickr before (launched June 2012?), seems to be popular and reinforces the appetite out there for SAFE messaging


Peer-to-Peer encryption, does not rely on centralized private KDC for decryption

Wickr App

  • ID and device info are cryptographically hashed with multiple rounds
    of salted cryptographic hashing using SHA256
  • Data at rest and in transit is encrypted with AES256
  • No password or Password hashes leave device
  • Messages and media are forensically wiped after they expire

Wickr Secure Exchange Server

  • In contact with encrypted messages/media only
  • Never in contact with passwords of private encryption keys
  • Deletes messages on delivery
  • Interacts with only hashed ID and device info


Automatically Find Friends Without Ratting Them Out


However…

But Wickr also has a “proprietary algorithm,” secret to everybody except the app developers and some trusted reviewers. Wickr doesn’t have open source code.

In other words, only the company knows precisely how its privacy-enhancing system works. And that’s exactly where Wickr’s privacy and security utopia could fail and crumble, according to cryptography and security experts.

“We have a kind of a maxim in our field, in cryptography, which is that the systems should be open,” says Matthew Green, a cryptography researcher and professor at Johns Hopkins University Information Security Institute.

Green echoes what Bruce Schneier, a cryptography and security guru, has been saying for a long time. “The idea is simple,” wrote Schneier in a 1999 newsletter. “Cryptography is hard to do right, and the only way to know if something was done right is to be able to examine it.” “Cryptography is hard to do right, and the only way to know if something was done right is to be able to examine it.”


LAW ENFORCEMENT GUIDELINES

Wickr is committed to operating in an environment of complete transparency and to cooperating with law enforcement while respecting each individual’s right to privacy.

Requests for Wickr Account Information

Requests for user account information from U.S. law enforcement should be directed to Wickr in San Francisco, California. Wickr responds to valid legal process issued in compliance with U.S. law.

Private Information Requires a Subpoena or Court Order

Non-public information about Wickr users’ accounts will not be released to law enforcement except in response to appropriate legal process such as a subpoena, court order, or other valid legal process.

Contents of Communications Are Not Available

Requests for the contents of communications require a valid search warrant from an agency with proper jurisdiction over Wickr. However, our response to such a request will reflect that either the content is not available or that, in very limited instances where a message has not yet been retrieved by the recipient, the content will be limited to scrambled data which is indecipherable.

Will Wickr Notify Users of Requests for Account Information?

Yes. Wickr’s policy is to notify users of requests for their account information prior to disclosure including providing user with a copy of the request, unless we are prohibited by law from doing so. Since we cannot envision a scenario in which the provision to law enforcement of the date an account was created, the type of device, and the date of last use, will assist in an emergency situation, we maintain that user notification will occur unless legally bound not to notify users of law enforcement requests for their user information.

What Information Can Wickr Supply You With?

Wickr has the following information about User Accounts:

• Date an account was created
• Type of device on which such account was installed
• Date of last use

What Must Be Included in Account Information Requests?

When requesting user account information, you must include ALL of the following:

◦ User name (Wickr ID) for account being investigated
◦ A valid official email address
◦ Law enforcement letterhead
◦ Description of account information being sought

Service of Process

We do not accept legal process via email. Receipt of correspondence and communication with law enforcement by email do not waive any objections to the lack of jurisdiction or proper service inherent in attempted service of process via email.

Production of Records and Authentication

We provide responsive records in electronic format and believe that any records produced in
response to a valid law enforcement request are self-authenticating. If you require a declaration, please explicitly note that in your request. At this time we do not anticipate seeking reimbursement for the costs of producing records because we believe those costs will be de minimus based on the limited information we can supply.

Mutual Legal Assistance Treaties

Wickr’s policy is to promptly respond to requests that are issued via U.S. court upon proper
service of process either by way of a mutual legal assistance treaty or letter rogatory.

New to me as well, they do seem to have servers :frowning: but the team page is colossal so maybe very well funded. Interesting find (again)

"WTF"

I suspect the metadata here on the servers and Facebook as well will give away a lot of info. It may allow graph searches to collate way to much info.

Yes, but they are special servers…hosted in the caymans :wink:

1 Like

This smells so much like a honey pot I’m making toast! :slight_smile:

I was thinking that myself, but the funny thing is…Australian politicians have been reported as using it. The same people that pass legislation to collect all data and retain for years, don’t want their data collected.

I hope it is the good guys sucking the traitors into a trap of their own making.

The other possibility is bad guys using it and doing bad stuff and privacy being blamed for the outcome…the old problem, reaction,solution …a totally exposed chaos/order dialectic that sadly, only a small section of the populace recognize as inherent in your standard two party political system.

2 Likes

You also find that many of Silent Circle’s clients are world governments. ‘Do as I say, not as I do’ springs to mind!

3 Likes

After reading this post I tried Wickr.

My impression is that they’re making too much of an effort trying to appear secure rather than making the application user friendly. I’d go for tox any day instead :slight_smile:

1 Like

Cheers, good to get a view from somebody using it.

Folks I have been using wickr for reasons of secure and encrypted texting. Unfortunately lately I am getting the same message posted by my contacts twice or even thrice. Like the same message appears twice or even thrice. I tried asking wick several times why this may occur by they do not respond at all. Any one has any ideas as to why this may happen. I am concerned about the security of my messages.